function-mesh
function-mesh copied to clipboard
streamnative
need to fix operator security vulnerabilities
The function-mesh-operator has some security vulnerabilities, and we need to fix them, refer to:
https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report
- [x] CVE-2021-36159. We can fix this by upgrading the operator's base image from alpine 3.10 to alpine 3.12+ (maybe alpine 3.14 would be more appropriate?)
- [ ] CVE-2022-27191. Fix the CVE as advised.
- [ ] CVE-2020-8565. Fix the CVE as advised.
- [ ] CVE-2021-38561. Fix the CVE as advised.
- [x] CVE-2020-9283 fix by #478
Following link provided above,
today in v0.4:
10 vulnerabilities have been detected in this package's images.
https://catalog.redhat.com/software/containers/streamnative/function-mesh/62d06b34df1077330aa2619d?container-tabs=security
in link above to redhat, the redhat security score of A unfortunately has no real meaningfulness for the total security:
This image includes layers and packages that cannot be scanned or compared to public vulnerability information.
The Container Health Index analysis is based on RPM packages signed and created by Red Hat, and does not grade other software that may be included in a container image.
of course its hard to fix all of them...
what do you think of adapting the distroless approach to get rid of software in containers that contains security problems but is actually not needed anyway?
just opened a new issue with some background and sources on the distroless approach: https://github.com/streamnative/function-mesh/issues/448
today in v0.6: with https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report
13 vulnerabilities have been detected in this package's images.
just an update on freshly release v0.7: 14 vulnerabilities (14 fixable) have been detected in this package's images.
source: https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report
As background info, the security scanner used by artifacthub, providing results shown above is trivy, so all the finding should be pretty valid.
For details, see: https://artifacthub.io/docs/topics/security_report/
and trivy https://github.com/aquasecurity/trivy
there is also an easy to use github action for scanning with trivy
- the complete repository,
- pull requests,
- docker container
- IaC
- etc.
=> Maybe, this is interesting to integrate this directly into the CI pipeline... See Readme of https://github.com/aquasecurity/trivy-action
Extract:
these 5 updates to the latest versions should solve all found 14 vulnerabilities:
- [x] https://github.com/prometheus/client_golang/releases
- [x] https://github.com/kubernetes/client-go/tags
- [ ] https://pkg.go.dev/golang.org/x/text?tab=versions
- [x] https://pkg.go.dev/golang.org/x/crypto?tab=versions
- [ ] https://pkg.go.dev/golang.org/x/net?tab=versions
fyi - a CRITICAL vulnerability was newly introduced with the release v0.8 by using an old version of https://github.com/emicklei/go-restful/tags 2.9.5 from May 16, 2019 latest would be v2.16.0 or even 3.10.0
Some others were nicely cleaned up by updating dependencies!
in summary, this leads to a security rating of F (where A is the best)
for details
https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report
for further thoughts on this topic see https://github.com/streamnative/function-mesh/pull/527#discussion_r1026188441
looks like they may be introduce by metrics server which has an open issue for this https://github.com/kubernetes-sigs/metrics-server/issues/1096
or by kube metrics, where a new version was just released (v2.7) https://github.com/kubernetes/kube-state-metrics/releases (current rating: A - No vulnerabilities found)
perfectly solved:
security rating: A
see
https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report